It’s a cliché in reviews of many pieces of non-fiction to say the book is timely, This is one of them.

During the time I read The Perfect Weapon, New York Times reporter David Sanger’s book on nation-state cyber attacks, a news agency said Russian hackers gained access to the networks of U.S. electric utilities in 2017, the U.S. indicted 12 Russian intelligence agents for hacking into the computer systems of the Democratic Party and candidate Hilary Clinton in 2016; a wave of ransomware attacks was alleged to have come from North Korea; Microsoft seized five web sites pretending to be U.S. government or think tank sites and accused Russia of behind them; and Donald Trump and Vladamir Putin talked about cyber in Helsinki.

“We are living in a gray zone, one of constant digital conflict,” writes Sanger, the Times’ national security correspondent who broke the story of the U.S.-Israel Stuxnet malware attack on Iran’s nuclear centrifuges. To survive this conflict he says the U.S. – and by implication other countries — will have to make some tough, fundamental decisions about how to limit what is basically a low-level cyber war.

Otherwise a simple tit-for-tat will escalate into something really nasty.

What’s this got to do with you? It will take some time for nations come to some sort of agreement on acceptable norms, Sanger writes. In the meantime, the private sector can make a start. More on this later.

This book is about what could go really wrong with digital attack tools, which really are perfect weapons. Leaving aside espionage, which all governments agree to as long as someone doesn’t die, cyber attacks are stealthy, hard to attribute, earn tremendous amounts of intelligence, can leave destructive triggers embedded in critical infrastructure until they’re needed and can cause massive disarray in an enemy: Loss of electricity, hospitals denying medical care, factories shut, airports shut, telecommunications shut, banks shut, government services blocked, election results questioned.

Who needs bombs? Who needs chemical weapons? Who needs to move an army near a border or an aircraft carrier offshore? Want to rattle an enemy? Cut off electricity for a few hours, as Ukraine suffered in two consecutive Decembers. Fingers point at Russia. And you don’t need to be an economic superpower to afford a sophisticated offensive cyber capability.

Conventional weapons are still in the U.S. arsenal. But, Sanger writes, almost every Pentagon scenario for how a future major confrontation with a nation state plays out assumes it will start with a cyber attack. Not surprisingly, many American war plans against its possible adversaries start with the same tactic.

The problem, as Sanger points out, is that the U.S.hasn’t thought deeply enough about the implications of cyber conflict and why some international constraints need to be imposed. What Sager calls “dialed down” cyber weapons –ones that don’t destroy an adversary but “frustrate it, slow it, undermine its institutions” are common today. “The weapons are almost always employed just below the threshold that would lead to retaliation.” What strikes him is that there have been no “grand strategic debates” around cyber as there were in the 1950s and 1960s over U.S. nuclear strategy.

In some ways Sanger paints an understandably one-sided picture. The U.S. doesn’t crow about its successful cyber attacks (although Sanger mentions actions against North Korea’s missile program and Huawei network equipment); meanwhile there’s no shortage of news about data breaches at government departments, political parties and critical infrastructure. Still, there are lots of stories about Washington being caught off guard, of the Obama administration not being willing enough to let opponents know of its cyber retaliatory capabilities.

The book has delightful details of known and unknown cyber incidents of the past decade – the discovery in 2008 of Russian intruders in the Pentagon’s classified networks (source of infection: USB lying around the parking lot), Snowden’s revelations, Chinese intruders siphoning off government employee records from the U.S. Office of Personnel Management; Ukraine; the Russian attacks on the Democratic Party; North Korea’s attack on Sony.

A common thread through these, Sanger argues, is how unprepared the U.S. was. The Sony attack in particular was a problem. President Obama’s administration did “a poor job of making its case against North Korea,” he writes, in part because it felt it couldn’t make all evidence – and U.S. capabilities – public. A counter-attack was possible, but aides feared it would start a circle of escalation. That, Sanger writes, was a sign of what was to come under Obama in dealing with Russia and the Democratic Party hacking. In a section detailing an interview with the current President, Sanger suggests Trump isn’t any more perceptive.

Sanger believes the U.S. has to be more upfront about its cyber capabilities, in part to intimidate others and show it’s willing to use digital weapons. It also has to improve attribution of attacks. At the same time Washington has to be honest. “We cannot expect Russian and Iranian hackers to stop implanting malware in our utility grid unless we are willing to talk about giving up our own implants in their power grids.”

He also wants cyber arms control, or limitations, the way there are on chemical and nuclear weapons. Conceding that it’s not likely in the short run he urges the private sector to establish cyber norms as a good start. Sanger cites Microsoft’s idea of a Digital Geneva Convention. So far many tech companies have agreed to a basic set of principles, including Facebook.

Hope of an agreement?

With Russia, China, North Korea, Iran and others having so much fun, is there much hope in the short term that China and Russia are willing to create an international agreement to limit their online attacks? Perhaps agreeing that critical infrastructure – however that is defined – is off limits? No, Christian Leuprecht, a security and defence expert at Queen’s University, told me this week.
“We – Canada and much of the Western world – are at opposite ends with the objectives what they want to see. I don’t think we’re going to get an agreement on this. But I think we’re going to get some international norms that evolve. We’ll either get it through a catastrophic failure and terrible miscalculation” in retaliation … “or [through] some sense that we probably need some set of rules about how we’re going to conduct ourselves, and that it’s in everybody’s interest to set some boundaries to [avoid] complete destruction.”

Where is Canada in this public debate? Largely silent. The recently-updated National Cyber Security Strategy says “in response to cyber threats of increasing sophistication, the Government of Canada will consider how its advanced cyber capabilities could be applied to defend critical networks in Canada and deter foreign cyber threat actors.”

My guess is we likely won’t launch a counter-strike against a nation caught in our critical infrastructure, unless its part of a NATO or Five Eyes project. But more needs to be discussed publicly.

Last February at a Toronto conference on urban resilience, former Canadian national security advisor Richard Fadden gave this warning: “Cyber will continue to be a major, major issue in part because we haven’t found a way to articulate how dangerous it is and what we can do about it … We need to find a way to deal with this. If Canada wants to do anything we need to find a way to leverage what we want to have happen.”

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomedia [@] gmail.com